Technical Article

v.10 - iSessions in the Cloud (or a remote data center, you choose)

Well, I’ve covered the basics of iSessions – a secure, optimized tunnel between two BIG-IPs – so now it’s time to talk about usefulness, both today and going forward. Since iSessions are an infrastructure issue, the following works for redundant data centers also, assuming they have BIG-IPs in them, it’s just that cloud is the buzzword du-jour, and there’s actually a teentsy bit more benefit to using them for the cloud.

First off, I assume that your cloud vendor has BIG-IPs (that is a safe assumption as of today), but you’re living in the real world, check with them first, there are a few that haven’t yet realized that BIG-IP should be a key part of their adaptive infrastructure.

Many of you – probably most of you – are not out throwing your proprietary data at clouds any more than most of you threw your proprietary data at SaaS. There are security, control, and ownership issues that (real or not) limit the level of real-world interaction with the cloud. But not all of your systems work with proprietary data, and if your applications are modularized (they are if you have web services interfaces to them), then you can move just the code that doesn’t have data critical to the success of your organization out to the cloud, or as some large organizations are doing, build your own internal cloud services.

Having said that, you then have to worry about performance and security. It’s one thing to move an entire application out to a service provider, another to have your application in your data center need to go to a cloud provider to service its requests. And since it’s over the public Internet, the data going to the cloud provider should be encrypted in some manner. You’d be surprised what information can be surmised about your organization just by watching non-critical unencrypted traffic, and in some industries you’d be surprised who’s looking (insurance, for example, has long had competitive intelligence teams that are very Internet savvy).

That’s where iSessions come in. A secure, optimized pipe between two BIG-IPs means that you can move code unchanged out to a cloud provider or another data center – you’ll have a local IP for the service, and that will automatically be forwarded to the remote BIG-IP for routing. Forwarded in an encrypted and optimized tunnel. Of course real-world modularized applications often aren’t that easy to pare out of a core system (ever notice how database lookups sneak their way into the most generic of code in a complex system?), but the direction the data center is headed these days says that you’d better be modular – and truly modular – relatively soon anyway, so I’ll leave the vagaries of your implementation in your capable hands. One suggestion is to make a database proxy in your datacenter and use iSessions to route DB requests through it. You might be able to just use database connections – lots of people are starting to use BIG-IP to load balance databases – but I’ve not tried a database protocol through iSessions yet, and they’re new enough that I don’t know anyone who’s tried. But back to the point, you forward requests and get responses like you’re talking to a local server, and you can put as much power as you need behind the BIG-IP on the other end. A simple application that just does a couple of quick things and sees medium utilization? A single server is behind that remote BIG-IP. A horrifically complex system that uses seconds of actual computation time to come up with a response? Put a pool of servers at the other end and load balance them (preferably with one of the advanced “Application Delivery Network” algorithms that considers server load in making load balancing decisions).

Then it’s in the cloud, but it’s not like it’s in the cloud. You’re splitting off reasonable and not-too-worrisome parts of your application infrastructure and offloading them to a more dynamic environment, while the code that doesn’t move doesn’t change. Could you do this other ways? Yes. Would it be this easy? Nope. And in the end that’s what adaptive infrastructure should do for you – increase your options without requiring you to re-architect your applications. No doubt they’ll require some tweaks, but full-blown re-architecting is out for most of us in good years, and this isn’t a good year, so tweaks are our answer to your dilemma.

It’s fast, it’s secure, it’s not a massive change to your apps, what’s not to like?

I have some intriguing inter-datacenter replication ideas with iSessions too, but they’ll have to wait until I can test them, and a series of issues – including a new home NAS – have kept me from upgrading my BIG-IP to v.10. Once I get that done, Jason Rahm and I will set up some iSessions tunnels on our BIG-IPs and I’ll start talking more to you about the pie-in-the-sky stuff I’ve been blue-skying.

And yeah, few ideas come out of nowhere these days, so credit where it’s due, Lori and I’ve been talking cloud forever (she has much more tolerance for the hype cycle than I, if XML didn’t show you that, I want usable, not hype), and Erik, one of our VPs sent out some literature that actually spurred me to write this post.

I am still trying to understand the utility of iSession. If I understand correctly, the iSession provides a encrypted "tunnel" for site to site (BIG IP-to- BIG IP) resource sharing. In other words, I can build a BIG IP VPN tunnel (i.e. iSession) between data center locations, which a resource (i.e. Virtual server) can be reach that remote location (or vice-versa) not existing at the local BIG IP?

It puts me in the mind of an adaptive COOP scenario, which I can use the link for dynamic back ups or real time services to between remote BIP IP sources.

0

About DevCentral

We are a community of 300,000+ technical peers who solve problems together.